Enable Deletion Protection for Elastic Load Balancing
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
LoadBalancerName: example
AvailabilityZones:
- us-west-2a
- us-west-2b
- us-west-2c
Listeners:
- InstancePort: 80
InstanceProtocol: HTTP
LoadBalancerPort: 80
Protocol: HTTP
The following CloudFormation template creates an Elastic Load Balancer (ELB) in AWS without enabling the deletion protection feature. The ELB is configured to listen on port 80 and distribute incoming traffic among availability zones "us-west-2a", "us-west-2b", and "us-west-2c".
The vulnerability lies in the absence of the
DeletionProtection attribute in the resource properties. This allows the ELB to be deleted accidentally or intentionally without restriction.
In a production environment, the deletion of an ELB can result in service outages or loss of availability. To prevent this, it is recommended to enable deletion protection by including the
DeletionProtection property set to
true in the resource definition.
Resources:
MyLoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
LoadBalancerName: example
AvailabilityZones:
- us-west-2a
- us-west-2b
- us-west-2c
DeletionProtection: true
Listeners:
- InstancePort: 80
InstanceProtocol: HTTP
LoadBalancerPort: 80
Protocol: HTTP
This CloudFormation template includes deletion protection for the ELB by setting the
DeletionProtection property to
true. With this configuration, the ELB cannot be deleted through the AWS Management Console, CLI, or API unless the protection is explicitly removed.
Enabling deletion protection is a recommended best practice to prevent accidental or unauthorized deletions that could disrupt services.